Central processing units or CPU's are the key mechanisms in computer systems. CPU's, execute sequences of instructions that constitute computation. CPU's can be implemented as chips, or as a collection of chips and other components. Many forms of computer and network security incidents include tampering with the installed software. If tampering takes place, then network messages, computed results, audit records, maintenance commands, security management, and other functions are suspect. Current technology provides for manually initiated checks for tampering that are reasonably effective, but intrusive to carry out. Familiar forms of tampering include trapdoors, Trojan horse programs, and computer viruses.
Referring to the figures where like reference numbers denote like elements, FIG. 1 shows a computer system 100 using a conventional architecture. The central processing unit 105, interfaces with programs 120, 130 and 140 via an operating system 110. The operating system 110 retrieves authorized programs 120, 130 and 140 from some type of fixed medium and provides instructions for the CPU 105 to execute.
All checks for tampering face what is known as the problem of deceptive interpretation. Checks for tampering are made using computer programs, i.e. sequences of machine language instructions executed by the computer being checked, or responses to network messages that are the result of program execution. In a system that has been tampered with, it is straightforward to modify the operating system (or other software) so that the instructions that perform the checks are intercepted and bogus results returned.
The problem of deceptive interpretation is that, in the general case, no sequence of instructions can test the processor that executes those instructions, to confirm that the instructions are not being interpreted by some other processor (i.e. a malicious program in software) that is simulating what appears to be the correct processor (i.e. the hardware CPU chip).
FIG. 2 shows a computer system using a conventional architecture that has been compromised by a deceptive interpreter. As shown in FIG. 2, the deceptive interpreter, or malicious program 260, creates a layer 250 between the CPU 105 and the operating system 110 that effectively isolates the CPU 105 from security check software 140 or similar security related programming. The deceptive interpreter layer 250, is underneath the operating system 110 and thus a security program 140 that functions under the command of the operating system 110 can be “fooled” by the deceptive interpreter through conditioning the responses 106 from the CPU 105. By isolating the CPU 105, and “conditioning” any input received from or output transmitted 107 to the computer system, a deceptive interpreter can simulate a normally functioning CPU to the greater computer system.
Between each legitimate instruction simulated, the deceptive interpreter can perform an arbitrary number of its own unauthorized and often malicious instructions 260 without being detected by the human operator, the security check program 140, or other authorized programs 120, 130, being executed by the system. This principle is related to the problem of computer viruses and Trojan horses. Malicious software 260 can use this problem to avoid detection and prevent security checks 140 from discovering any unauthorized actions.
In the case of checks for tampering, current technology has the user insert some form of removable storage media that is capable of re-booting (i.e. stopping all of the running software and replacing it with a known good copy from the removable media) the system to be checked. The user can then press a keyboard key or button to force the hardware to re-boot from the removable media. This makes it extremely difficult for an attacker to interpose a deceptive interpreter between the checking program and the system to be checked.
The manual insertion of removable media and re-booting is time consuming, does not scale well to larger networks, and frustrates automated security management. There is a great deal of research and commercial interest in the application of autonomous mobile software agent technology to security management, intrusion detection, and security incident response. There is even more interest in general use of this technology. At present, agent technology cannot be used for security functions, because of the problem of deceptive interpretation. Agents are above the operating system and are therefore above a deceptive interpretation layer. An agent moving to a new computer to carry out its responsibilities cannot detect that it has been encapsulated by a deceptive interpreter. By passing false results to the agent, the deceptive interpreter can mislead the agent into incorrect behavior.
At present the two solutions to the deceptive interpreter problem are to either: 1) use manual insertion of removable media followed by re-boot, as just described, or 2) only run immutable programs that have been shown to be free from security flaws. Both of these approaches render agent technology unusable for security functions or general functions that require trust. Examples of the latter include financial, legal, and medical applications.
Human users of computers face a similar problem with Trojan horses and viruses. A human computer user cannot, in the general case, tell what instructions are being executed on a computer, just by looking at its display or other outputs. These outputs can be falsified. An example of this is password stealing via a false login screen. It is possible to tamper with a computer so that it displays a screen that looks like the legitimate login display, but actually emails the user's password to a malefactor before logging the user in. To combat this threat, users are given what is called a secure attention key. In its correct implementation, a secure attention key is a keyboard key that causes a distinguished signal to be sent directly to the computer's hardware CPU, thus bypassing all software running on the computer. The CPU is designed to carry out a known sequence of instructions that confirms the authenticity of the login (or other security relevant feature), whenever this distinguished signal is received.
Clearly, software agents cannot use this feature, since at best they must use machine language instructions to access a computer keyboard. Once again, these instructions are subject to deceptive interpretation which would omit the distinguished signal. Checks for software tampering are now more necessary than ever. One example would be the Tripwire system developed at Purdue University.
Tripwire calculates, records, and confirms checksums or digital signatures of files on the storage media of computer systems. The other possible form of check would be to inspect the image of the running software, i.e. the bit patterns representing the software in memory as it executes. There are limitations to this approach, because it is difficult to be confident that the tamper checks have not themselves been tampered with. The limitations are twofold:
1) the checks are dependent on whatever operating system is used to support the checking software, and
2) reasonably believable checks require human assistance in the form of rebooting the system and inserting special storage media that contains the checking software.
The rebooting is done to ensure that the operating system supporting the check is trustworthy; insertion or mounting of special media is done for the same reason: the special media is kept separate from the system to be checked and is thus unlikely to have been tampered with. High-assurance checks are thus manual and do not scale well to large networks.
Another approach for software tampering checks, or more specifically digital rights management, is Microsoft's Palladium initiative, renamed Next Generation Secure Computing Based for Windows. This approach is described in U.S. Pat. No. 6,330,670 held by Microsoft. The Palladium approach is to refuse to load programs into memory unless they have a digital signature provided by the owner of the digital-rights-managed data, e.g. Microsoft or Disney.
The mechanism by which this is done has three parts:
1) a cryptographic scheme that ensures that the computer only boots a correctly signed version of the operating system, including initialization of the second part,
2) a separate protected area of memory that cannot be tampered with, and
3) trusted software in the protected area of memory that performs digital signature and privacy encryption functions. The keys, algorithms, and implementation are all provided by the software manufacturers.
The first part, secure booting, is described in U.S. Pat. No. 6,185,678. The trusted software that runs in the protected memory is the component that checks signatures and decrypts programs before allowing them to be run. For digital rights management, it also runs programs supplied by content providers. The content provider programs (not part of the patent and also prior art) perform functions like playing music or videos only the authorized number of times for the paying user. The original problem with these content provider programs was that they could be tampered with. Palladium protects these content provider programs from tampering that would violate digital rights.
Palladium also now allows the hardware to be fingerprinted, by incorporating values read from the user's hardware, and using this fingerprint as part of the digital signature scheme. Privacy encryption services are provided to prevent copying of music, videos, programs, etc. While they are on a disk or other storage media. However, neither Tripwire nor Palladium address the problem of a system attack through deceptive interpretation.
Thus, a need exists for a system architecture that allows software to initiate software and system integrity checks that are resistant to deceptive interpretation.